CVE-2026-42358: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache Airflow
A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nested item before checking the sensitive key name. An authenticated UI/API user with Variable read permission could harvest plaintext secret values stored under sensitive keys nested deep enough to exceed the masker's depth cap. Affects deployments that store sensitive values inside deeply-nested JSON Variables. This is a residual gap in the fix for CVE-2026-32690 (which covered shallower nesting via `max_depth=1`); the depth-limit boundary itself was not raised, so the same key-name bypass pattern reappears beyond the recursion cap. Users who already upgraded for CVE-2026-32690 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the deep-nesting path.
AI Analysis
Technical Summary
Apache Airflow's Variable response masker is designed to redact sensitive information in JSON variables by masking keys with secret-suffixed names. However, the masker has a recursion depth limit, and if sensitive keys are nested deeper than this limit, the masker returns the original unredacted value. This allows authenticated UI/API users with Variable read permissions to retrieve plaintext secrets stored in deeply nested JSON variables. The vulnerability is a continuation of a previous issue fixed for shallow nesting but not for deeper nesting. The recommended fix is to upgrade Apache Airflow to version 3.2.2 or later, which addresses this deep-nesting masking bypass.
Potential Impact
An authenticated user with Variable read permission can access sensitive secret values in plaintext if those secrets are stored in deeply nested JSON variables exceeding the masker's recursion depth. This exposure could lead to unauthorized disclosure of credentials or tokens stored in Airflow variables. The impact is limited to users with Variable read permissions and deployments that store secrets in deeply nested JSON structures.
Mitigation Recommendations
Users should upgrade Apache Airflow to version 3.2.2 or later to address this vulnerability. This version raises the recursion depth limit for the Variable response masker, preventing the bypass of secret redaction in deeply nested JSON variables. No other mitigation or temporary fix is indicated. Patch status is not explicitly confirmed in the advisory, but the upgrade recommendation implies an official fix is available in 3.2.2+.
CVE-2026-42358: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache Airflow
Description
A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nested item before checking the sensitive key name. An authenticated UI/API user with Variable read permission could harvest plaintext secret values stored under sensitive keys nested deep enough to exceed the masker's depth cap. Affects deployments that store sensitive values inside deeply-nested JSON Variables. This is a residual gap in the fix for CVE-2026-32690 (which covered shallower nesting via `max_depth=1`); the depth-limit boundary itself was not raised, so the same key-name bypass pattern reappears beyond the recursion cap. Users who already upgraded for CVE-2026-32690 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the deep-nesting path.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache Airflow's Variable response masker is designed to redact sensitive information in JSON variables by masking keys with secret-suffixed names. However, the masker has a recursion depth limit, and if sensitive keys are nested deeper than this limit, the masker returns the original unredacted value. This allows authenticated UI/API users with Variable read permissions to retrieve plaintext secrets stored in deeply nested JSON variables. The vulnerability is a continuation of a previous issue fixed for shallow nesting but not for deeper nesting. The recommended fix is to upgrade Apache Airflow to version 3.2.2 or later, which addresses this deep-nesting masking bypass.
Potential Impact
An authenticated user with Variable read permission can access sensitive secret values in plaintext if those secrets are stored in deeply nested JSON variables exceeding the masker's recursion depth. This exposure could lead to unauthorized disclosure of credentials or tokens stored in Airflow variables. The impact is limited to users with Variable read permissions and deployments that store secrets in deeply nested JSON structures.
Mitigation Recommendations
Users should upgrade Apache Airflow to version 3.2.2 or later to address this vulnerability. This version raises the recursion depth limit for the Variable response masker, preventing the bypass of secret redaction in deeply nested JSON variables. No other mitigation or temporary fix is indicated. Patch status is not explicitly confirmed in the advisory, but the upgrade recommendation implies an official fix is available in 3.2.2+.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-26T17:13:44.915Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1d4e71e29bf47b50cd497f
Added to database: 6/1/2026, 9:18:41 AM
Last enriched: 6/1/2026, 9:36:10 AM
Last updated: 6/2/2026, 4:35:01 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.